Computers and computing systems are often interlinked in a network to provide easy communications and data transfer between the various components of the network. Such networks may be composed of mainframes, minicomputers, and microcomputers, and may indeed be composed of combinations of all of the above. Each system on the network will typically operate under control of a software program, providing access to a database. In some systems, dummy terminals, or microcomputers configured to act as dummy terminals, will provide communications with the computing system.
Security for system resources and data stored on the system, are a primary concern for most computing systems. Many systems have been proposed for controlling access to computing resources and the data. For example, one of the most commonly used security systems for mainframe computers is the Resource Access Control Facility (RACF) provided by International Business Machines Corporation (IBM). The RACF employs controlling software on a mainframe associated with a RACF database. The RACF not only controls access to the computing system, but also controls the level or amount of access allowed to a user. In the RACF security system, a unique RACF user identifier is assigned to each user. Each RACF user identifier has a unique password to verify the identity of the user requesting access to the computing system.
The RACF enables organizations to define individuals and groups who use the system that the RACF protects. For example, a group may be defined that encompasses a collection of individuals having common needs and requirements. The RACF also enables an installation to define authority levels for a user or a group of users. The authority levels control what a user or member of a group can do on the system. The RACF also protects the system's resources, protecting an organization's information stored on the system by controlling which users have authority to access a system resource, such as a document or program.
The RACF stores all information about users, groups and resources in user, group and resource profiles. A profile is a record of RACF information that has been defined by a security administrator. A user profile provides user attributes that describe the system-wide and group-wide access privileges to protected resources for a user. Similarly, a group profile defines the authority that a user who is a member of the group has to access resources belonging to the group. A resource profile defines the type of authority a user needs to access a specific resource. A resource profile may contain an access list as well as a default level of access authority for the resources the profile protects. An access list identifies the access authorities of specific users and groups, while the default level of access authority applies to any user not specifically included in the access list.
As the number of computers or data centers increases, and as the number of users increase, the security system becomes more difficult to maintain. Even the process of assigning new user identifiers takes up an inordinate amount of time and expense.
Such computing systems are often used in businesses and schools. In such situations, each computing system or data center is often associated with a group or department within the business or school. As the number of users increases, the number of changes required to maintain the security system overwhelms the ability of security personnel to maintain the system. For example, the level of access privilege may be associated with a department to which a user is assigned. Each time the user is reassigned to a new department, security personnel have to adjust the level of access privilege for the user identifier assigned to that user.
Such a large system presents numerous problems for those in charge of system security. Problems may include assigning duplicate user identifiers to more than one user, failure to provide timely access for new users or to terminate access to terminated users in a timely manner, and failure to update the level of access privilege in a timely manner. A related problem, is the assignment of multiple user identifiers to a single user across a number of computing systems. Such multiple assignment makes it difficult for the user to remember the correct user identifier, often causing the user to write the user identifier and any associated password down, making the user identifier and password vulnerable to theft. Such multiple assignment of user identifiers may also make it difficult to screen the system for improper access privilege and level of access privilege. Such systems are particularly vulnerable to terminated employees and contractors, who may seek access to the system resources and/or data after the end date of their employment.